Healthcare Hacker Attack Victim Tally SoaringFederal Breach Tally Shows Spike in Affected Individuals
Hacker attacks recently added to the Department of Health and Human Services' Office for Civil Rights "wall of shame" tally of major health data breaches affected a total of more than 8 million victims.
The tally now lists 60 hacker attacks posted in 2016, affecting nearly 11 million individuals. That's up from 51 such incidents affecting 2.8 million just a few weeks ago (see Healthcare Hacker Attacks: No End in Sight).
Among the hacker attacks recently added to the tally are:
- An incident at Banner Health affecting 3.6 million individuals, making it the largest of all the breaches added to the tally so far this year. An initial attack against payment card processing systems apparently opened the door to the attackers accessing healthcare data.
- A cyberattack targeting Newkirk Products - a business associate that issues insurance cards for large health plans, including several Blue Cross Blue Shield organizations - that affected 3.4 million individuals. Newkirk says the incident involved unauthorized access to a server containing certain personal information for health plan members. This the second largest incident involving a business associate listed on the tally since its inception in September 2009.
- An attack targeting Valley Anesthesiology and Pain Consultants in Arizona that exposed information on about 883,000 patients.
- An incident at Prosthetic & Orthotic Care that affected 23,000 individuals. A spokesman for the clinic confirms that it was one of several organizations recently attacked by a hacker dubbed "The Dark Overlord." The hacker made "a variety of extortion attempts" on the clinic, but Prosthetic & Orthotic Care refused to pay, the spokesman says.
Hacker incidents now account for about one-third of the 183 breaches added to the wall of shame so far this year. But they represent about 84 percent of the 12.9 million individuals affected by the breaches added.
Since the tally was launched in 2009, 1,643 breaches impacting 167.4 million individuals have been posted. Of those, 217 affecting nearly 126 million individuals are listed as hacking or IT incidents.
Still missing so far from the wall of shame, however, are breaches related to some high-profile ransomware attacks earlier this year, including an attack on Hollywood Presbyterian Medical Center, which paid extortionists about $17,000 in bitcoin to unlock data.
Slow to Move?
Hacker attacks and other breaches often are, at least in part, the result of blunders or common security vulnerabilities that organizations have been slow to address, says privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group.
"All I can say is that it's very discouraging," she says. "I can't say I'm shocked, though. Given that the proposed HIPAA Security Rule was published in 1998, and that the basics of information security really haven't changed since then, the healthcare industry has moved glacier-like on security. While even the best security program still leaves risk and can't totally eliminate breaches, it seems that many or most of these current breaches were avoidable through traditional security processes."
But there are signs of infosecurity progress in the healthcare sector, says Dan Berger, CEO of the security consulting firm Redspin.
"More and more, we see healthcare organizations asking for help in framing investments in cybersecurity in terms of organizational risk reduction," Berger says. "They need help in 'connecting the dots' between high-profile hacker attacks or large data breaches and internal requests for more resources - be that hiring people, buying technology or engaging third-party security expert consulting firms. I think this is a good sign - it means that more conversations are happening at the executive and board of directors level."
In addition to hacker attacks, some other recent major breaches have been tied to mistakes by staff members of business associates.
That includes a recent large breach disclosed by Baltimore-based Bon Secours Health System affecting 655,000 individuals, which has not yet been posted on the wall of shame.
In a notification sent to patients, Bon Secours says that on June 14, it discovered that files containing patient information inadvertently had been left accessible by one of its business associates, R-C Healthcare Management. "While attempting to adjust their computer network settings from April 18 to April 21, R-C Healthcare inadvertently made files located within their computer network accessible via the internet," Bon Secours says.
"Files accidentally left accessible by the internet suggests that the organization lacked an adequate change management process," Borten says. "The evidence seems to show that the industry's information security efforts just aren't what they should, and can, be."
Healthcare IT security expert Ellen Fischl-Bodner of network security vendor Tufin notes: "The entire change management process is a delicate, yet complex lifecycle that requires security policy orchestration and automation to eliminate some of the more manual aspects and proactively assess potential risks."
A Persistent Breach Risk
But the Bon Secours incident is also a reminder of the persistent breach risk that business associates pose to covered entities. For example, in recent months, about 20 hacker breaches have been reported by covered entities that all have a common business associate - cloud-based electronic health records vendor Bizmatics Inc., which suffered a cyberattack last year (see Bizmatics Cyberattack: Assessing the Fallout).
"Covered entities and business associates are in a codependent relationship when it comes to protecting patient data," Redspin's Berger says. "In the past, there's been a tendency to treat all business associates simply as third-party vendors. But CEs need to realize that some BAs present a greater risk than others. And not all BAs are the same in terms of their security maturity."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says it's vital that covered entities and their business associates focus on both the longstanding culprits of healthcare breaches as well as emerging threats.
"Organizations should ensure that they continue to address longstanding issues by increasing or maintaining encryption efforts and tracking how paper records are maintained and disposed of," Greene suggests. "But now [they] have to allocate more resources to protecting against targeted cyberattacks. With limited budgets, there are no easy answers, but a strong risk assessment continues to be one of the best means of allocating resources."